client_id.ttl

@prefix solid: <http://www.w3.org/ns/solid/terms#> .

<#app> solid:oidcRegistration """{
    "client_id" : "https://gist.githubusercontent.com/matthieubosquet/0c15b00da900f8c184410167c08dd8c8/raw/client_id.ttl#app",
    "redirect_uris" : ["http://localhost:8080/"],
    "client_name" : "Test Application WebID",
    "scope" : "openid webid",
    "grant_types" : ["authorization_code"],
    "response_types" : ["code"]
    }""" .

Pod IdP WebID.md

A Pod, an Identity Provider and a WebID

This document describes the relationship between the three tenants of identity assertion in the Solid ecosystem.

Terminology

A WebID

A WebID is an IRI over which one asserts control and denotes:

• An agent as per the WebID specification terminology
• An End-User as per OpenID Connect terminology
• A Resource Owner in terms of OAuth2.0 roles

An Identity Provider

An Identity Provider provides an identity assertion service and denotes:

• An Identity Provider (IdP) as per the Solid OIDC specification terminology
• An OpenID Provider (OP) as per OpenID Connect terminology
• An Authorization Server (AS) in terms of OAuth2.0 roles

A Pod

A Solid Data Pod (Pod) will grant and deny access to resources denoted by IRIs, which potentially include WebIDs.

Granting and denying access to resources will often be based on a form of identity assertion.

How to create a Pod?

Requirements

Creating a Pod requires:

• A WebID
• An Identity Provider

I don't have a WebID

I need to mint one. I can either buy a domain name and manually create it or find a service provider that mints WebIDs.

I have a WebID but no IdP

I need to signup to an IdP using my WebID. I will need to add the IdP as a trusted Identity Provider by editing my WebID.

I just want to create a Pod

If you don't want to bother with the manual steps, here is how a signup for a Pod protocol might work:

1. Go to https://pod.example.com
2. Click create new Pod
3. In the user ID field, instead of using an existing WebID such as https://alice.example.com/#me, choose a name that will allow pod.com to mint a WebID for you, for example alice
4. Choose an Identity Provider from the dropdown of https://pod.example.com trusted IdPs or enter the URI of one, for example https://idp.example.com
5. Click on register
6. pod.example.com mints a WebID for you with the Identity Provider https://idp.example.com as trusted oidcIssuer and a randomly generated OIDC registration token
7. You get redirected to https://idp.example.com to register with the issuer, with your WebID and OIDC registration token as prefilled parameters
8. Fill the registration form which may include email for recovery...
9. Register/login with your IdP which will check the WebID minted for you by your Pod provider for the trusted issuer and registration token
10. Once logged in, you get redirected to your pod provider which can finish provisioning your pod and grant you access to it since you're logged in

Note: Both the WebID provider and IdP can require extra account recovery signup parameters such as an email or a second WebID or grant you recovery codes...

If the Pod provider is not your WebID provider, they should not provide extra account recovery signup parameters, however, a Pod could be co-owned by multiple WebIDs.

I have a WebID and an IdP

1. Go to pod.example.com
2. Click register for a Pod
3. Enter your WebID and your IdP
4. Get redirected to your IdP and login
5. Get redirected back to your Pod Provider that will assert your ownership of the WebID and provision a Pod for you

Solid OIDC Cheat Sheet.md

Solid OIDC Cheat Sheet

Table of Contents

• Concept
• Specification
• See also

Concept

DPoP

A way to bind access and refresh tokens to a client's public key (hence proving possession of the private key).

Specification

• Solid OIDC
• Solid OIDC Primer
• OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
• OpenID Connect Core 1.0
• WebID
• JSON Web Token (JWT)
• JSON Web Signature (JWS)
• JSON Web Key (JWK)
• JSON Web Algorithms (JWA)
• JWK Thumbprint

See also

• WebID info
• WebID name collision

types.ts

/** JSON Web Algorithms */

// Cryptographic curve
// crv values "P-256", "P-384" and "P-521" used by the JWA spec
// all require x and y coordinates
// as per [RFC7518] (JSON Web Algorithms) https://tools.ietf.org/html/rfc7518#section-6.2.1.1
type CryptographicCurve = "P-256" | "P-384" | "P-521";

// Digital Signature Cryptographic Algorithm
// ES256 & RS256 are both recommended implementations in JWA libraries
// ES256 is likely to become required
// as per [RFC7518] (JSON Web Algorithms) https://tools.ietf.org/html/rfc7518#section-3
// see also DPoP draft https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-4.1
type DigitalSignatureCryptographicAlgorithm = "RS256" | "RS384" | "RS512" | "ES256" | "ES384" | "ES512" | "PS256" | "PS384" | "PS512";

/** JSON Web Key */

// Key Type
// Describes the cryptographic algorithm family of a JSON Web Key
// - EC for Elliptic Curve
// - RSA for RSA
// - oct for Octet sequence (used to represent symmetric keys)
// as per [RFC7517] (JSON Web Key) https://tools.ietf.org/html/rfc7517#section-4.1
// see also [RFC7518] (JSON Web Algorithms) https://tools.ietf.org/html/rfc7518#section-6.1
type KeyType = "EC" | "RSA" | "oct";

// Key Operations
// Identifies the operation(s) for which the key is intended to be used
// - "sign" (compute digital signature or MAC)
// - "verify" (verify digital signature or MAC)
// - "encrypt" (encrypt content)
// - "decrypt" (decrypt content and validate decryption, if applicable)
// - "wrapKey" (encrypt key)
// - "unwrapKey" (decrypt key and validate decryption, if applicable)
// - "deriveKey" (derive key)
// - "deriveBits" (derive bits not to be used as a key)
// as per [RFC7517] (JSON Web Key) https://tools.ietf.org/html/rfc7517#section-4.3
type KeyOperations = "sign" | "verify" | "encrypt" | "decrypt" | "wrapKey" | "unwrapKey" | "deriveKey" | "deriveBits";

// Key Use
// Describes the intended use of the public key
// - sig for signature
// - enc for encryption
// as per [RFC7517] (JSON Web Key) https://tools.ietf.org/html/rfc7517#section-4.2
type KeyUse = "sig" | "enc";

// JSON Web Key
// kty: key type
// use: key use
// key_ops: key operations
// alg: algorithm (see https://tools.ietf.org/html/rfc7517#section-4.4)
// kid: key id (see https://tools.ietf.org/html/rfc7517#section-4.5)
// x5u: X.509 URL (see https://tools.ietf.org/html/rfc7517#section-4.6)
// x5c: X.509 certificate chain (see https://tools.ietf.org/html/rfc7517#section-4.7)
// x5t: X.509 certificate SHA-1 thumbprint (see https://tools.ietf.org/html/rfc7517#section-4.8)
// x5t#S256: X.509 certificate SHA-256 thumbprint (see https://tools.ietf.org/html/rfc7517#section-4.9)
// crv: curve (see https://tools.ietf.org/html/rfc7518#section-6.2.1.1)
// x: elliptic curve point x coordinate (see https://tools.ietf.org/html/rfc7518#section-6.2.1.2)
// y: elliptic curve point y coordinate (see https://tools.ietf.org/html/rfc7518#section-6.2.1.3)
// as per [RFC7517] https://tools.ietf.org/html/rfc7517#section-4
type JSONWebKey = {
  kty?: KeyType,
  use?: KeyUse,
  key_ops?: KeyOperations,
  alg?: string,
  kid?: string,
  x5u?: string,
  x5c?: string,
  x5t?: string,
  "x5t#S256"?: string,
  crv?: string | CryptographicCurve,
  x?: string,
  y?: string
}

type HTTPMethod = "GET" | "POST" | "PUT" | "PATCH" | "DELETE";

// DPoP JWT
// Prove knowledge of private key
// as per DPoP draft https://tools.ietf.org/html/draft-fett-oauth-dpop-04#section-4.1
type DPoP = {
  header: DPoPHeader,
  payload: DPoPBody,
  signature: string
}

type DPoPHeader = {
  typ: "dpop+jwt",
  alg: DigitalSignatureCryptographicAlgorithm,
  jwk: JWK.Key
}

type DPoPBody = {
  jti: string,
  htm: HTTPMethod,
  htu: string,
  iat: number
}